Security Evaluation of Mobile Applications using 'App Report Cards'
- Tuesday, October 13th, 2015 at 10:00 AM EDT (14:00:00 UTC)
- Raul Siles
You can now attend the webcast using your mobile device!
The mobile 'App Report Cards' is a scoring and reporting system, distributed as Microsoft Excel spreadsheets in the form of card templates, for a consistent and thorough security analysis and evaluation of Android and iOS mobile applications.
Mobile 'App Report Cards', specifically designed within the "SANS SEC575: Mobile Device Security and Ethical Hacking" training, provide penetration testers and mobile security analysts with a new guided security testing workflow to leverage the multiple tools and common techniques available to evaluate iOS and Android mobile applications. These techniques cover various aspects that influence the security posture of mobile apps, including storage and filesystem usage inspection, and network activity monitoring, interception and manipulation. This information is complemented with application static and automated analysis and reverse engineering techniques, combining app code and behavior analysis for effective app penetration testing. Additionally, opportunities to manipulate application behavior are identified as part of the analysis process by inspecting and modifying the app code, inspecting critical app definitions and interacting with its interfaces and components at runtime.
Complementary, mobile 'App Report Cards' provide a significant benefit to mobile application developers. The report helps them to review and apply the recommended countermeasures and protections to resolve identified flaws and meet the security expectations of each report card, while the scoring allows them to evaluate and track how the app security features progress and mature over time throughout different app versions.
This webcast will introduce the mobile 'App Report Cards' project and will provide step-by-step details on some of the analysis techniques used to scrutinize Android mobile applications when searching for security vulnerabilities and exploitation opportunities, and suggestions for developers to implement the desired security features.
Raul Siles will be teaching "SANS SEC575: Mobile Device Security and Ethical Hacking" this year in Dubai (Oct 17-22, 2015), http://www.sans.org/event/gulf-region-2015/course/mobile-device-security-ethical-hacking, and London (Nov 16-21, 2015), http://www.sans.org/event/london-2015/course/mobile-device-security-ethical-hacking.
Note for our German attendees / Hinweis für Interessenten, die über die Allianz für Cyber-Sicherheit teilnehmen:
Die Anmeldung und Teilnahme am Webcast ist kostenfrei, dazu ist lediglich die einmalige Registrierung über einen kostenlosen SANS Portalzugang notwendig, der über den Login-Button oben rechts angelegt werden kann. Es gelten die allgemeinen Datenschutzbestimmungen des SANS Instituts: https://www.sans.org/privacy."
SANS ist in der Allianz für Cyber-Sicherheit des BSI als Partner engagiert und trägt in dieser Rolle den angebotenen Webcast bei.
Raul Siles is founder and senior security analyst at DinoSec. For over a decade, he has applied his expertise performing advanced technical security services and innovating offensive and defensive solutions for large enterprises and organisations in various industries worldwide. He has been involved in security architecture design and reviews, penetration tests, incident handling, intrusion and forensic analysis, security assessments and vulnerability disclosure, web applications, mobile and wireless environments, and security research in new technologies. Throughout his career, starting with a strong technical background in networks, systems and applications in mission critical environments, he has worked as an information security expert, engineer, researcher and penetration tester at Hewlett Packard, as an independent consultant, and on his own companies, Taddong and DinoSec.
Raul is a certified instructor for the SANS Institute, regularly teaching penetration testing courses. He is an active speaker at international security conferences and events, such as RootedCON, Black Hat, OWASP, BruCON, etc. Mr. Siles is author of security training courses, blogs, books, articles, and tools, and actively contributes to community and open-source projects. He loves security challenges, and has been a member of international organisations, such as the Honeynet Project or the SANS Internet Storm Center. Raul is one of the few individuals worldwide who have earned the GIAC Security Expert (GSE) designation, as well as many other certifications. Raul holds a master's degree in computer science from UPM (Spain) and a postgraduate in security and e-commerce.
Raul is a top bloke, absolute genius, would recommend the course based on his teaching skills alone!! - Nic Trujillo, VM